'Authentificate users of another active directory using first active directory using Tomcat and LDAP on Linux

I have two active directories ad1 and ad2 that are trusted by each other. Ad1 has groups that contain both users of ad1 and ad2. Using a Tomcat realm of a Linux server I can authenticate users of ad1 with its groups by the ad1 via LDAP.

I also want to authenticate users of ad2 using the LDAP server of ad1. Therefore, I added a computer account of the server with the Tomcat on ad1. Is this possible using Tomcat realms and LDAP or is in only possible within Microsoft software? I tried login names like "ad2\john.doe" and "john.doe@ad2" ("ad2" is the accessible dns name) with no success.

If no, I have to create the groups on ad2 and use another realm...

linuxauthenticationtomcatazure-active-directoryldap


Solution 1:[1]

• I would suggest you to please configure Active Directory trust relationship between the two AD domains such that the users from both the AD domains are able to login to eachother’s AD domain’s and vice versa. To do so, kindly check the ‘login.properties’ file for defining separate realms for each domain. The following example of the ‘login.properties’ file configuration for the trust relationship between the two AD domains is shown below for your reference: -

  Global settings
  clientcreds = true       
  realms = internal, parent
  ldap.prof.useprimarygroup = false        
  # Realm settings
  # Update match pattern to allow other AD domain components  
  addomainname.ldap.prof.idmatch = (?i)(.*)@(?:.*\\.)?${realm:.*}  
  parent.realm = EXAMPLE.COM
  parent.auth = ldap
  parent.auth.bindmethod = simple
  parent.auth.binddn = search: dn  
  parent.ldap.security = tls
  parent.ldap.profile = adsldap    
  parent.ldap.prof.defaultusergroup = edqusers     
  parent.ldap.referral = follow ’

The above shown example is a modified version of the parent and child domain relationship given in the below link: -

https://docs.oracle.com/middleware/1213/edq/DQSEC/ldap.htm#DQSEC143

Also, try the above thing on both the AD domains and check if it helps you or not. If it doesn’t then, you will have to create groups on both the AD domain realms of Apache tomcat and authenticate accordingly. Also, I would suggest you to please check the link below for more information: -

https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 KartikBhiwapurkar-MT

Related Questions